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‘The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an Information Systems audit of Banner which is maintained and operated 
by The University of Montana—Missoula to assist in the administration of financial, 
human resource, student and financial aid records. The intent of the Banner audit was to 
identify and test key controls over the application’s Finance and Financial Aid modules 
to ensure the modules are operating as intended. This report outlines conclusions from 


our review and contains no recommendations. 
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// Tori Hunthausen 
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REPORT SUMMARY 


Banner: Administrative Services System 


The Banner system is used by The University of Montana—Missoula (UM) to assist in 
the administration of financial, human resource, student, and financial aid records. 
Banner consists of baseline functionality, as delivered by a third party vendor, and 
customized functionality through modifications developed by UM. Banner is 
maintained by UM departments responsible for data (Financial Aid, Registrars 
Office, etc) with hardware and modification support handled by UM’s Department 
of Information Systems and Technology. Within the department, hardware support is 
provided by Central Systems Support Services while modification support is provided 
by Enterprise Information Systems. 


The Banner system consists of four modules: 


¢ Finance — manages UM financial data including budget, accounts, ledgers, 
purchases, and payments. 


¢ Human Resources — manages UM employment information and payroll 
processing including job and employee information, taxes, benefits, and 
deductions. 


¢ Student Services - manages UM student academic information including 
admissions, class registration, course information, rosters, grading, and 
enrollment status of students. 


¢ Financial Aid — manages the UM student financial aid process from the 
receipt of the student’s financial aid form through needs assessment and 
award issuance. 


To help determine system risks, we reviewed system processes and changes, and 
considered prior audit testing and Banner delivered processing. Although our risk 
assessment covered the entire UM Banner system, this audit focused on high risk areas 
of the Finance and Financial Aid modules. Audit work was conducted to ensure: 


¢ access to Banner functionality is limited to users with identified business 
needs 


¢ modifications to Banner follow UM change management procedures 


¢ — select Banner processing controls function as UM management intends 


This report discusses the work performed during this audit. Overall, we did not 
identify any significant control weaknesses. We noted access is limited, change control 
procedures are followed, and select processing controls function as intended. As a 


result, there are no recommendations in this report. 
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Chapter | — Introduction and Background 


Introduction 


Information Systems conducted an audit over controls residing within the Banner 
system at The University of Montana—Missoula (UM). The intent of the Banner 
audit was to identify and test key controls over the application to ensure the system 
operates as intended. In addition to this report, we provided an internal memorandum 
to Legislative Audit Division (LAD) staff providing detailed control information to 
consider during other audit work. 


Background 


The Banner system is used by UM to assist in the administration of financial, human 
resource, student and financial aid records. Banner consists of baseline functionality, as 
delivered by a third-party vendor, and customized functionality through modifications 
developed by UM. Banner is maintained by UM departments responsible for data 
(Financial Aid, Registrars Office, etc,) with hardware and modification support 
handled by UM’s Department of Information Systems and Technology. Within the 
department, hardware support is provided by Central Systems Support Services while 
modification support is provided by Enterprise Information Systems. 


Banner is made up of four modules: Finance, Human Resources, Student Services, and 
Financial Aid. Within each module are subsystems providing different functionality 


to Banner users. 


The Finance module manages UM financial data including budget, accounts, ledgers, 
purchases and payments. It includes the following subsystems and functionality: 


¢ Accounts Payable — processes invoices, maintains vendor data, calculates 
discount and payment schedules, and manages tax disbursements. 


¢ Purchasing — manages both immediate purchases and purchases requiring a 


bid process. 


¢ Accounts Receivable — maintains charge and payment information for 
individual accounts, including student accounts. 


¢ — Posting — moves transactions from all functions into UM ledgers. 


¢ Capital Assets Management — maintains assets over $5,000. 


The Human Resources module manages UM employment information and payroll 
processing including job and employee information, taxes, benefits and deductions. It 
includes the following subsystems and functionality: 


¢ Employment — manages employee information, job profiles, and benefit 
information. 
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¢ Payroll - manages time entry, approval and payroll process. 


The Student Services module manages student academic information including 
admissions, class registration, course information, rosters, grading and enrollment 


status of students. It includes the following subsystems and functionality: 
¢ Admissions — tracks potential students and manages student admissions. 


¢ Registration — manages student registration and grades. 


The Financial Aid module manages the student financial aid process from the receipt 
of the student’s financial aid form through needs assessment and award issuance. It 
includes the following subsystems and functionality: 


¢ — Financial Aid Drawdown — process to download federal financial aid forms 
for integration into Banner. 


¢ Satisfactory Academic Progress — process for ensuring students maintain 
federally required academic levels to receive financial aid. 


¢ Verification — process for ensuring students are completely and accurately 
filling out financial aid forms. 


¢ Packaging — process where a student's financial aid need and eligibility are 
determined and financial aid is made available and awarded to students. 


Additionally, Banner interacts with an online portal, CyberBear, for faculty, staff, and 
students to access and update Banner information online. It does not store data and 
serves as an access point to the modules described above. 


Although our risk assessment covered the entire UM Banner system, this audit focused 
on high risk areas of the Financial and Financial Aid modules. 


Audit Objectives 
This Information Systems audit addressed the following objectives: 


1. Ensure access to select Banner functionality is limited to users with identified 
business needs. 


Ensure modifications to Banner follow UM change management procedures. 


Ensure select Banner processing controls function as UM management 
intends. 


Scope and Methodology 


To help determine system risks, we reviewed system processes and changes, and 
considered prior audit testing and Banner delivered processing. In addition to the 
high risk areas of the Finance and Financial Aid modules, we also reviewed system 


modifications and followed-up on Banner security from a previous audit. Finally, we 
provided detailed control information to LAD audit staff for use in other audit work. 


Audit methodologies included interview of staff, query and analysis of Banner data, 
review of Banner documentation, and observation of Banner and UM staff operations. 
We evaluated the control environment using state law and policy, UM Security Plan 
and federal law. The audit was conducted in accordance with Government Auditing 


Standards published by the United States Government Accountability Office (GAO). 


UM Banner Security 


We performed an Information Systems audit in 2008 over UM compliance with its 
Security Plan. Based on our work, we identified seven areas warranting management 
attention. In addressing our fourth objective, we determined UM has either addressed 
or is addressing all identified areas. ‘The seven areas included: 


1. Environmental risk within the UM data center 

Physical access to the UM data center 

Desktop security implementation 

Keeping the Banner Security Plan up-to-date 

Incomplete user access requirements in the Banner Security Plan 


Incomplete user profile segregation of duties in the Banner Security Plan 


NAW AR WN 


Undefined user privileges in the Banner Security Plan 


Management Memorandum 


During the course of our audit, we identified the following three areas warranting 
management attention: 


1. Student Fees — Certain student fee reconciliations were in place but could be 
strengthened. 


2. Satisfactory Academic Progress (SAP) — SAP flags prevent students from 
obtaining financial aid. The flags can be manually removed; however, 
minimal monitoring occurs and could be strengthened. 


3. Time Approval — UM policy only requires one signature for payroll time 
approval allowing individuals in three of 141 UM departments to approve 
their own time. UM policy could require a second approving signature for 
all time approvals. 


Although not included as recommendations in this report, our suggestions were 
presented to UM for its consideration. 
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Chapter II —- Select Banner Access 


Who Can Access University Information? 


Automated systems store one of an organization’s most valuable assets — data. These 
systems are often critical in supporting the organization’s functionality. In order to 
protect the system and data from unauthorized activity, access should be controlled. 
Controlling access allows employees to complete assigned job responsibilities while 
increasing security over confidential information. The University of Montana— 
Missoula (UM) relies on user access controls in all components of Banner. To obtain 
access within Banner, a user must complete a Banner Account Request form and 
obtain necessary approval. The forms are routed to Banner security personnel for 
access assignment. To satisfy our first audit objective, we reviewed select user access in 
the Finance and Financial Aid (FA) modules. 


Finance Module 


Vendor Data 


To make payments on purchases, Banner requires vendor information to exist in the 
system and an invoice to be created and approved. Since vendor payments are generated 
using information stored in Banner, access to vendor data should be controlled to 
prevent unauthorized changes. To ensure vendor data access is limited to users 
commensurate with job responsibilities, we queried Banner to obtain a list of users 
with rights to add or modify vendor data and compared the results with information 
from Accounts Payable (AP) management regarding job duties. We determined access 
to vendor data is limited to users with identified business needs. 


Invoice Creation 


Invoices are manually entered into Banner either by UM department personnel or AP 
staff in Business Services. Invoice creation includes adding vendor information stored 
in the vendor table. Once created, each invoice is to be approved prior to payment; if 
not approved, the invoice is not paid. Any individual having access to update vendor 
table data and create and approve invoices has the ability to create their own payments. 
To ensure controls prevent any individual from having access to all three functions, 
we obtained a list of individuals with the ability to enter and approve invoices and 
compared it with the list of individuals having update access to the vendor table. We 
determined controls enforce segregating the ability to enter and approve invoices and 
update vendor information. 
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Student Fees 


Banner’s Accounts Receivable (AR) subsystem tracks all UM customer accounts, both 
student and nonstudent. Student fees are generally managed by AR staff in Business 
Services, while nonstudent fees are managed by UM Treasury personnel. Since student 
fees make up the majority of AR transactions, we reviewed AR staff access to change 
or remove student fees. We obtained a list from AR management specifying staff with 
the need to change or remove student fees and compared it to the list of individuals we 
obtained through query of Banner. Both lists matched, indicating all individuals with 
rights in Banner to remove student fees have an identified business need. 


Financial Aid Module 


Satisfactory Academic Progress 


In order to receive federal financial aid, U.S. Department of Education (DOE) 
regulations require students to meet both quantitative and qualitative measurements. 
This is called Satisfactory Academic Progress (SAP). At UM, SAP is passing 70 percent 
of classes attempted with a cumulative minimum GPA of 2.0. The University monitors 
student progress and relies on Banner to flag SAP violations. Ifa student does not meet 
any of the SAP requirements, Banner will flag the student account and prevent any 
further processing of financial aid eligibility. The flag must be manually changed in 
order for the student to be eligible for FA. 


We reviewed how SAP policies are entered into Banner to ensure controls prevent 
unauthorized SAP policy changes. Our audit work determined SAP policies are part 
of Banner’s programming code and changes must follow UM’s change management 
policy and procedures. We reviewed the code for the 2008-09 school year and observed 
the rates match UM requirements. 


Verification 


Banner's financial aid process begins with importing financial aid forms from the 
DOE. The DOE requires UM to verify a percentage of the forms to ensure students 
are completely and accurately filling out the forms. To ensure this occurs, DOE flags 
a sample of up to 30 percent of financial aid forms for verification. Once a student's 
form is flagged in Banner, financial aid cannot be received until the student supplies FA 
evaluators with the required verification documentation. Once all the documentation 
has been submitted to the FA office and confirmed by the evaluators, the Banner record 
is updated by marking the documents as collected. ‘The flag can then be removed and 
the form will continue being processed. 


We reviewed access to determine if verification flag removal is limited to FA evaluators 
only. We obtained a list of evaluators from FA management and compared it to a list 
from Banner of individuals with the ability to remove verification flags. Both lists 
matched, indicating only FA evaluators can remove the verification flag. In addition, 
we reviewed the ability to mark documents as collected in Banner to ensure it was 
segregated from the ability to remove the verification flag. Any individual with access 
to both could mark documentation as collected and remove the verification flag, even 
if no documentation was received. This potentially allows a student to receive financial 
aid without completely or accurately filling out their financial aid form. Our review 
identified FA evaluators could perform both tasks; however, FA management asserted 
the access was needed to perform job requirements. To compensate, we determined 
FA staff perform random file checks to ensure all DOE required documentation is in 
the file. As a result, verification controls exist to ensure documentation is only being 
marked as collected. 


Cost of Attendance 


Key to determining student financial aid is the base Cost of Attendance (COA). The 
COA is how much it will cost a student to attend UM, depending on student status. 
Banner compares the COA to student expected family contributions (income, etc.) 
with the difference being the student’s need. The FA Director initially determines 
the base COA and manually enters it into Banner. To ensure controls prevent 
unauthorized COA changes in Banner, we reviewed a list of individuals with access 
to change the COA. Our work identified 21 individuals with the ability to change 
the COA. According to FA management, the access is needed in specific cases where 
additional costs are identified. However, the access does not allow the base COA to be 
changed. For example, if the base COA for a full-time student is $1,700 for a semester, 
but books will cost an additional $700, the new total COA can be changed to $2,400. 
However, when the addition is made, the base COA ($1,700) is not changed. We 
reviewed instances where additional COA appeared and determined, in each instance, 


the base COA was not changed. 


a 
CoNcLUSION 


Based on audit work, we conclude access to select Banner Finance and 
Financial Aid functionality is limited to users with identified business needs. 
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Chapter III - Select Banner Modification 


How Has Banner Changed? 


Banner is a commercial-off-the-shelf system. When a system such as Banner is 
implemented, system functionality is considered delivered, or baseline. However, the 
system may not perform as expected or needed by the implementing organization, thus 
requiring system modification. To ensure modifications operate as intended and do not 
have adverse impact, The University of Montana—Missoula (UM), has implemented 
change control procedures to request, develop, test, and implement modifications to 
Banner functionality. To address our second objective, we reviewed modifications to 
Banner’s Finance and Financial Aid modules to answer the following questions: 


¢ Was Banner baseline functionality changed? 
¢ — Ifso, does Banner still function as UM intends? 


¢ — Did modifications follow UM’s change control procedures? 


Finance and Financial Aid Modules 


Overall, Banner Finance provides a financial management system allowing the ability 
to track, maintain, and process UM financial data while Financial Aid (FA) manages 
the student financial aid process from the receipt of the student’s financial aid form 
through needs assessment and award issuance. We identified 232 UM modifications 
to Banner since the last UM Banner audit (December 2007). Our review focused on 
modifications with the highest level of impact to the system as determined by UM. 
The modifications were rated as high, medium, or low based on the following: 


¢ High — have the greatest amount of impact on Banner and generally change 
Banner’s baseline functionality. 


¢ Medium — generally do not affect Banner’s baseline functionality, but may 
change how previous modifications perform. 


¢ — Low — have the least amount of impact on Banner functionality, generally 
consisting of changes to reports such as what shows in a report or what can 
be seen in a report’s description fields. 


Of the 39 modifications UM identified as having high impact on Banner functionality, 
10 were in Finance and 8 were in FA. Examples of the 18 modifications include: 


¢ Anew pharmacy code was added to Banner processing. 


¢ UM added an additional type of journal entry transaction entered into 
Banner. 


¢ — Student deferred payment plan request forms were modified to allow deferred 
payments through CyberBear for any semester except summer. 
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¢ = UM’s max credit rules (maximum amount of financial aid any student can 
receive) are more stringent then the federal standards, so Banner’s rules were 
adjusted to meet UM’s rules. 

° 


Student financial aid notices were adjusted to no longer show lender 
identification numbers. 


Although the modifications affected Banner processing, our review indicated system 
functionality remained as expected. UM’s change control procedures include 
documenting modification requests, testing each modification, and signing off 
when testing is successfully completed. Acceptance of the modification and signing 
for each modification put into production must also be documented. We reviewed 


documentation for all 18 modifications and determined each followed UM’s change 
control procedures. 


O_O aaa 
CONCLUSION 
Based on audit work, UM has modified Banner’s baseline functionality; 


however, system functionality remained as expected. Furthermore, select 
modifications followed UM’s change control procedures. 





Chapter IV — Banner Processing Controls 


How Does Banner Process Data? 


The University of Montana—Missoula (UM) maintains data and information from 
students, vendors, employees, etc. In order to be usable, the data and information 
must be stored in a structured fashion. To do this, the system performs mathematical 
and logical operations, or processes, on the data. Processing controls ensure Banner 
functions as expected. To address our third objective, we reviewed specific Banner 
processing controls to ensure operations occur as expected. 


Finance Module 


Purchasing Payments 


The purchase and subsequent payment for goods and services obtained by UM occurs 
within the Accounts Payable (AP) and Purchasing subsystems. UM purchases may be 
paid through multiple methods; following are the two most common: 

1. Direct Payment — Generally AP departmental personnel enter vendor 


invoices in Banner. Once invoices are approved, Banner processes them for 
payment. This is the most frequent form of purchasing payments. 


2. Bid Process — In this process, a requisition is created and approved in Banner. 
Then a Request For Proposal is created and released, bids are received, and 
the winning bid is approved by the initiating department. Subsequently, a 
purchase order (PO) is created and approved which also attaches (encumbers) 
the initiating department's funds to the PO. When payments on the PO 
are made, an invoice is created and paid based on PO data. This process is 
generally used for large dollar amount purchases. 


We reviewed invoice payments for fiscal years 2008 and 2009 to ensure controls 
prevented payments from exceeding invoice amounts. We queried Banner for all 
payments and related invoices for both fiscal years and performed data analysis 
comparing query results. All payments were equal to the amounts on the related 
invoices. 


Purchase Order Invoicing 


To ensure controls prevented invoice amounts from exceeding originating PO amounts, 
we queried Banner to obtain both amounts for fiscal years 2008 and 2009. Our data 
analysis identified 740 invoice amounts larger than the originating PO. According to 
AP management, invoices can be changed to account for: 


¢ Added fees — fees not accounted for in the original PO. 


¢ — Shortages— UM did not receive or use the full amount on the original PO. 
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¢ — Overshipments — occasionally a vendor will overship on a PO and UM will 
keep and pay for the overshipment. 


¢ — Shipping — occasionally UM will need an item faster than through normal 
shipping which will cost more than stated in the PO. 


Additional work identified controls in place requiring approval by either the Purchasing 
or AP manager before invoice changes are made. 


Required Invoice Data 


Department funds are attached to payments based on a department identifier (index 
number) entered during the creation of an invoice or PO. To ensure this number is 
required, we observed AP and Purchasing staff attempt to process invoices and POs 
with a closed, invalid, or missing index number. In each case, Banner would not allow 
the invoice or PO to be completed. 


Invoice Approvals 


Banner requires invoices to be approved prior to payment. UM’s primary methods of 
approval are: 


¢ AP and Purchasing management signoff in Banner 


¢ UM staff approve the invoices they enter (implicit approval) 


When management approval is required, Banner will not allow an invoice or PO to 
be completed and processed for payment without approval. However, with implicit 
approval, UM staff can create and approve their own invoices as long as the invoice is 
under a set dollar amount. Because implicit approval potentially allows an invoice to 
be created, approved and paid to the same individual, we reviewed related controls. AP 
management asserted they receive a monthly report listing invoices created, approved 
and paid to the same individual. Management researches each invoice listed on their 
report and documents the results. We queried Banner for invoices created and approved 
for fiscal years 2008 and 2009, as well as who received payments for those invoices. 
Our data analysis identified 35 invoices created, approved and paid to either the same 
individual or an individual with the same last name. AP management stated there are 
specific circumstances where this would be an approved activity. For example, UM 
employees are paid as vendors for reimbursement of approved departmental purchases. 
From our results, we selected the month with the most invoices (January 2009) and 
confirmed AP management's monthly report results matched ours. We also observed 


management's research for each invoice was documented. 


Financial Aid Module 


As mentioned in Chapter II, the Cost Of Attendance (COA) is the student cost for 
attending UM. FA management manually calculates the COA and keeps a hard copy 
of the results. The COA is manually entered into Banner. A comparison of the figure in 
Banner with the calculated cost is performed to ensure the COA was entered correctly 
and, if correct, will indicate their review on the hard copy. We compared the COA for 
the 2008-09 school year; the figures in Banner matched those on the hard copy. We 
also observed notation on the hard copy indicating the comparison was performed. 


a 
CoNcLUSION 


Based on audit work, we conclude select Banner Finance and Financial Aid 
processing controls function as UM management intends. 
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21 January 2010 


Ms. Tori Hunthausen 
Legislative Auditor 
Legislative Audit Division 
Room 135 State Capitol 
P.O. Box 201705 

Helena, MT 59620-1705 


Dear Ms. Hunthausen: 


A-1 
Office of the President 


The University of Montana 
Missoula, MT 59812-3324 


Office: (406) 243-2311 
FAX: (406) 243-2797 


RECEIVED 
JAN 21 2010 
LEGISLATIVE AUDIT DIV. 


We thank the Legislative Audit staff for their professional work on the Banner Administrative 
Services System Audit. While conducting the audit, we found the Legislative Staff thorough and 
that they dealt with important controls and security of our administrative systems. The 
University will address the identified areas of concern as present in the management memo. We 
appreciate the cooperative efforts made by the audit team and thank those involved for their 


assistance. 


Sincerely, 


More b Dansi 


George M. Dennison 
President 


GMD/ce 
Denlet4108 


c: S. Stearns, Commissioner of Higher Education 


